Skip to content

v0.81.3

Pre-release
Pre-release

Choose a tag to compare

View all tags
@github-actions github-actions released this 25 Jun 03:19
· 36 commits to main since this release
Immutable release. Only release title and notes can be modified.
v0.81.3
77e1097
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🌟 Release Highlights

This release focuses on expanded automation reach with org-wide update management, greater expressiveness through GitHub Actions expression support in more places, and a round of critical fixes across Windows, rootless installs, and assignee resolution.

⚠️ Breaking Changes

sandbox.agent.network-isolation renamed to sandbox.agent.default-route

The frontmatter key sandbox.agent.network-isolation has been renamed to sandbox.agent.default-route (#41302). Update any workflows using this key to use the new name.

✨ What's New

  • Organization-wide gh aw update β€” Run gh aw update across an entire org with dry-run PR previews before applying changes, making fleet-wide workflow upgrades safer and more auditable (#41247).
  • Templatable safe-outputs.staged values β€” safe-outputs.staged now accepts GitHub Actions expressions (${{ ... }}), enabling dynamic output values at workflow runtime (#41296).
  • link-sub-issue accepts GitHub expressions β€” The allowed-repos field in link-sub-issue now supports GitHub Actions expressions for more flexible cross-repo linking (#41237).
  • ready_for_review trigger support β€” pull_request_target workflows can now trigger on the ready_for_review event, enabling automation when draft PRs are marked ready (#41161).
  • GH_HOST support in gh aw trial β€” gh aw trial --clone-repo now correctly honors the GH_HOST environment variable for GHES environments (#41159).
  • Sudo enabled in agentic sandboxes β€” All agentic workflow sandboxes now have sudo available by default, unblocking common agent install patterns (#41313).
  • Firewall v0.27.10 + mcpg v0.3.30 β€” Network-isolated workflows omit unnecessary sudo from generated lock files; bundled firewall and MCP gateway updated (#41269).

⚑ Performance

  • Parallelized audit analysis β€” gh aw audit now runs analysis tasks in parallel, significantly reducing latency for long-running workflows (#41185).

πŸ› Bug Fixes

  • Windows ConPTY crash fixed β€” Removed a compat import that caused gh aw to crash on startup on Windows (#41235).
  • Rootless AWF install β€” gh aw installs correctly into $HOME/.local without root and properly exports $GITHUB_PATH in rootless environments (#41310).
  • Copilot assignee resolution restored β€” Assignee checks now prefer issue-scoped resolution, fixing cases where the wrong user was assigned (#41306).
  • UpdateContainerPins no longer wipes containers β€” Fixed a regression where gh aw update erased the entire containers section on every run (#41262).
  • Locked-PR 422 handled gracefully β€” Safe outputs now treats HTTP 422 on locked PRs as a soft skip with retry rather than a hard failure (#41155).
  • Compiler error quality improved β€” Errors now include accurate YAML context offsets, import hints, and early engine validation to help authors fix issues faster (#41234).
  • set_issue_type migrated to REST API β€” Replaced the GraphQL-based set_issue_type safe output with a single REST call for better reliability (#41241).
  • Linter fixes β€” lenstringsplit false positives with empty separators and ctxbackground false negatives in closures are resolved (#41188, #41187).
  • Codex MCP CLI wrapper resolution β€” Fixed safe output path resolution for the Codex MCP CLI wrapper (#41242).

πŸ“š Documentation

  • Safe rollout guidance streamlined for clarity (#41272).
  • Glossary updated with latest terminology (#41211).

Generated by πŸš€ Release Β· 36.2 AIC Β· ⊞ 8.3K

What's Changed

  • Remove redundant python-dataviz imports from daily reporting workflows by @pelikhan with @Copilot in #41158
  • Support ready_for_review for pull_request_target triggers by @pelikhan with @Copilot in #41161
  • fix: treat locked-PR 422 as soft skip with retry in safe_outputs by @pelikhan with @Copilot in #41155
  • Add SEC-005 exemption for issue_intents.cjs false positive by @pelikhan with @Copilot in #41182
  • Allow AgentRx native package installs in Daily AgentRx Trace Optimizer by @pelikhan with @Copilot in #41183
  • Pin Daily Sub-Agent Model Resolution Audit sub-agent to a valid Codex model by @pelikhan with @Copilot in #41184
  • Pin RGS-007 workflow action refs to immutable SHAs by @pelikhan with @Copilot in #41189
  • [docs] Update glossary - daily scan by @github-actions[bot] in #41211
  • Add replace-label to Safe Output Mapping in agentic workflow designer SKILL.md by @pelikhan with @Copilot in #41190
  • Honor GH_HOST in gh aw trial --clone-repo repository URLs by @pelikhan with @Copilot in #41159
  • fix(lenstringsplit): empty raw-string separator escapes non-empty guard β€” false positive + wrong autofix by @pelikhan with @Copilot in #41188
  • ctxbackground: fix false negative and unsafe autofix for closures by @pelikhan with @Copilot in #41187
  • Add explicit permissions to error-message-lint workflow by @pelikhan with @Copilot in #41233
  • [jsweep] Clean update_entity_helpers.cjs by @github-actions[bot] in #41166
  • fix(footer): render correct trigger type in attribution suffix by @pelikhan with @Copilot in #41186
  • Fix false negatives in docs npm update detection by @pelikhan with @Copilot in #41240
  • fix: normalize report formatting for daily-rendering-scripts-verifier.md by @pelikhan with @Copilot in #41245
  • perf: parallelize audit analysis tasks to cut latency for long-running workflows by @pelikhan with @Copilot in #41185
  • refactor(workflow): split threat_detection.go (1542 lines) into focused modules by @pelikhan with @Copilot in #41231
  • feat: link-sub-issue allowed-repos accepts GitHub Actions expressions by @pelikhan with @Copilot in #41237
  • Migrate set_issue_type safe output from GraphQL to single REST issues.update call by @pelikhan with @Copilot in #41241
  • ci: align build-wasm node setup to setup-node@v6 / Node 24 by @pelikhan with @Copilot in #41243
  • feat: omit sudo from generated lock.yml when network-isolation is enabled; bump firewall to v0.27.10 and mcpg to v0.3.30 by @lpcox with @Copilot in #41269
  • [review] Migrate set_issue_type safe output from GraphQL to single REST issues.update call by @github-actions[bot] in #41284
  • [docs] docs: unbloat safe rollout guidance by @github-actions[bot] in #41272
  • fix(windows): remove compat import to prevent ConPTY startup crash by @pelikhan with @Copilot in #41235
  • Fix compiler error quality: YAML context offset, import hint, early engine validation by @pelikhan with @Copilot in #41234
  • [docs] Update Astro dependencies - 2026-06-24 by @github-actions[bot] in #41258
  • [linter-miner] feat(linters): add stringreplaceminusone linter by @github-actions[bot] in #41285
  • fix: UpdateContainerPins wipes containers section on every gh aw update run by @pelikhan with @Copilot in #41262
  • Fix Codex MCP CLI wrapper resolution for safe outputs by @pelikhan with @Copilot in #41242
  • [rendering-scripts] Render Codex experimental JSONL logs in the run step summary by @github-actions[bot] in #41201
  • build(deps-dev): Bump starlight-github-alerts from 0.2.0 to 0.3.0 in /docs by @dependabot[bot] in #41000
  • build(deps): Bump sharp from 0.35.1 to 0.35.2 in /docs by @dependabot[bot] in #40999
  • [caveman] Optimize instruction verbosity β€” agentic-chat, campaign, developer.instructions (2026-06-24) by @github-actions[bot] in #41301
  • Reduce ambient-context bloat in shared Python dataviz import by @pelikhan with @Copilot in #41304
  • fix: use python3 -m pip install for Copilot Python SDK driver by @pelikhan with @Copilot in #41303
  • Support templatable safe-outputs.staged values and GitHub expressions by @pelikhan with @Copilot in #41296
  • [WIP] Refactor inline string-truncation reinventions and file-existence idioms by @pelikhan with @Copilot in #41191
  • Add organization-wide gh aw update mode with dry-run PR previews by @pelikhan with @Copilot in #41247
  • Rename frontmatter sandbox.agent.network-isolation β†’ sandbox.agent.default-route by @pelikhan with @Copilot in #41302
  • chore: enable sudo in all agentic workflow sandboxes by @pelikhan with @Copilot in #41313
  • Restore copilot assignee resolution by preferring issue-scoped assignee checks by @pelikhan with @Copilot in #41306
  • fix: rootless AWF install uses $HOME/.local and exports $GITHUB_PATH by @lpcox with @Copilot in #41310
  • [review] fix: rootless AWF install uses $HOME/.local and exports $GITHUB_PATH by @github-actions[bot] in #41321
  • Allow Daily Safe Output Integrator to read replace_label.go to prevent denial guardrail aborts by @pelikhan with @Copilot in #41329
  • test(actionpins): improve assertion quality and add missing coverage in spec_test.go by @pelikhan with @Copilot in #41330
  • Remove private: true from blog-referenced workflows, issue-monster, q, and ci-coach by @pelikhan with @Copilot in #41342
  • Bump pinned CLI and Playwright browser versions by @pelikhan with @Copilot in #41328

Full Changelog: v0.81.2...v0.81.3

Contributors

pelikhan, lpcox, and dependabot
Assets 17
Loading